Thanks Steve, Yes, It's quite difficult to nail it down to why I get these speed variations between WIFI and ethernet.

The master socket is one side of a door frame and the other is a phone extension socket along with a twin power socket. Don't worry I won't get the PCI version. The whole idea is to have separate devices. It's a pity the V130 isn't POE that would make life easier. I did think about using an existing phone wire (4pairs) as a power cable(12V) for the V130 and power it from another location over that. That would put a V130 right next to the incoming master socket. Then I could use another pair in the same cable as a VOIP extension to the existing phone extension socket. I would only need put CAT6 up the wall next to the phone cable into the loft.

@chpalmer, @chpalmer chpalmer thanks for the response:

@chpalmer said in How can I backup a production image?:

@guardian said in How can I backup a production image?:

Am I missing something?

What Ive done in the past is to keep a spare storage device.. Identical to the drive that is in my box.. loaded and ready to go for my site here.

I might have to buy another drive and do a fresh install to that drive, but I would rather not have to open the box.

And a spare box ready to go that I can back up to that is kept for several of my remote sites.
Great idea, it's simple a matter of economics

I would ask- what if during the action of re-imaging a drive you have problems? You could be fighting an unknown for a longer period and possibly not get there. Then how do you ask for help from a community that has not themselves attempted what you are trying to do? And on a production system that people are counting on..

That is a possibility, but nothing is risk free.

IIUC what I am trying to do should be as simple as:

Boot an install USB into the single user rescue mode Mount the internal partition Mounti the ZFS slice on the flash drive Doing a tar czvf.

A restore would replace step 4 with

rm -rf on the botched install tar xzvf

Is there any reason this should not work?

My first question of my people would be- "why did you choose to take that course of action when the manufacturer recommends another?"
The course of action that I am considering is a fallback only. May plan is to run the upgrade first, if it works, job done, If that fails run a new install, if that fails then use the backup.

If your connection is in deed that important.. that you have no down time, then you should have a standby at the very least. And you should already know that the latest installer is going to work on the standby.

IMHO ☺
I agree entirely, economics often rules, especially in a home installation.

@stephenw10 said in How can I backup a production image?:

Having a recovery plan is pretty much vital even for a home user if you have any sort of reliance on your connection.

Agreed

Your points about a newer version being incompatible with your hardware are valid. Though unlikely IMO.

In a commercial setting I would suggest setting up a test install (preferably on identical hardware) and updating that before doing so on the production equipment. That's impractical for most home users.
However the cost of small SSDs is relatively low these days. You could get a new SSD swap that out and install 2.5 on it. Restore your config and see what happens. Swapping back to the 2.4.4 SSD is trivial if it doesn't go smoothly.

That's what I may be forced to do, but I can't see why what I have outlined above shouldn't work.

I would certainly work with a linux system (If boot were a separate partition, I would have to make a second tar file for boot). I don't know enough about FreeBSD, but maybe I would need to run some other utility to preserve the boot code.

And that solution would be.......?

Yes you can set the monitoring preferences for each gateway by editing it in System > Routing > Gateways. If you are using packet loss or latency rather than only member down on the group it will trigger the failover.
The default settings for throwing an alarm of 20% packet loss and 500ms latency are usually good though unless you have an unusual WAN like a satellite link.

Steve

This isn't anything specific to FreeBSD, but rather how VMWare maps the NICs into the guest OS. The same issue occurs with Linux.
While it isn't always possible to add all the interfaces you think you might need in advance, if you get stuck with this issue, you will need to go match up the MAC addresses VMWare has assigned to the NICs to the MAC addresses seen by pfSense, and reconfigure the interfaces appropriately if they have changed.

Thanks, done. https://redmine.pfsense.org/issues/9703

Ok, I'm glad we found the problem.. I didn't got the Sonicwall message, and because the router is pretty new, I thought it was my own fault..

The vendor is now aware of the problem. They will fix it. Thanks for the help, sorry it wasn't really a pfsense issue.

It's possible to do that using the captive portal with radius accounting enabled.

See: https://youtu.be/nJ3NzU_7xd0?t=2279

Steve

The only actual issue I see there are two re-tranmissions but that may be normal packet loss. Not really something that should kill the connection. You are seeing traffic in both directions there.

Was that pcap on the WAN? How was it filtered? Do you see anything different on the internal interface?

Steve

That was quick! Thanks so much for the reply. I was wondering if it was something like that. I just don't have the time to do a lot of tinkering these days. Much appreciated!

Thanks,
Supe

Not fixed as of 2.4.4-RELEASE-p3 (amd64)
built on Wed May 15 18:53:44 EDT 2019
FreeBSD 11.2-RELEASE-p10.

Only after appending the text dump of my ca cert to /usr/local/share/certs/ca-root-nss.crt was I able to send test messages.
"Validate the SSL/TLS certificate presented by the server" had no effect.
Package captures verified that pfsense was rejecting the certificate being returned by my email server.

@gwaitsi While I agree with everything you said, you really should be maintaining your own manual backups and not trust the cloud to never rain on you. Having a cloud save is nice, but nothing is better than having a local backup.

@Derelict said in Unable To Reach Second pfSense Firewall On LAN:

That is completely normal since the secondary has no route back to the connecting client since the VPN is running on the primary.

Workaround:

https://docs.netgate.com/pfsense/en/latest/highavailability/troubleshooting-vpn-connectivity-to-a-high-availability-secondary-node.html

Ah okay that's good to know, I was afraid I had misconfigured something. I can successfully connect to services on our network from exposed ports on the WAN IP of the second firewall. I guess the only thing left to do now is properly configure HA. Thanks all!

Hello everyone

Thank you very much for all of your comments.

I finally managed to get it back up running again:

Whenever you change the mac that is going to be connected to cable modem, you normally need to reboot the cable modem between so it gives up its old pairing.

That did half of the trick. Even though I rebooted the cable modem a few times, apparently I never rebooted it between interface changes. It looks like it is necessary to reboot the modem really after every single time the MAC address changes.

After getting a DHCP IP eventually, I still could not reach the internet for some reason. What was missing was that I needed to select System -> Routing -> Gateways and select WAN_DHCP from the dropdown list for "Default gateway IPv4" (It was set to "Automatic"). For some reason, automatic did not select the only gateway in this list...

I appreciate everyone's help in troubleshooting the experience I was having. ATT provided a new modem and has resolved the connectivity issue.

Yeah, I would recommend always setting the gateway to something specific there.

Steve

@mike3y said in Crash Log - How do I get it?:

All internet stopped working.

Check your logs if there are any indications.

OK, I think I see what happened. When curl tried IP4 silently, it failed to connect, so then it switches to IP6 and shows it. This same effect happens when you're blocked and you try to update Ubuntu. You get a screen full of blocked IP6 attempts.

I'm not aware of any such document. The xml file should be self-explanatory for the vast majority of things. Perhaps if you list what you're specifically not understanding, someone can help.